Data Protection Agreement

IML S.L.U., as identified in the Agreement (“Company”) and the legal entity that entered into an Agreement ("Affiliate Partner") with the Company for the provisions of the services described in the principal agreement entered between the parties (as amended for time to time, the "Agreement"), are agreeing to these Data Protection Agreement ("DPA").

This DPA is entered into by Company and Affiliate Partner and supplements the Agreement, and shall be effective, and replace any previously applicable terms relating to their subject matter, during the duration of the Agreement.

If you are accepting this DPA on behalf of Affiliate Partner, you warrant that: (a) you have full legal authority to bind Affiliate Partner to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Affiliate Partner, to this DPA. If you do not have the legal authority to bind Affiliate Partner, please do not accept this DPA.

  1. INTRODUCTION
    • This DPA reflect the Parties’ agreement on the processing of Personal Data in connection with the Data Protection Laws.
    • Any ambiguity in this DPA shall be resolved to permit the Parties to comply with all Data Protection Laws.
    • In the event and to the extent that the Data Protection Laws impose stricter obligations on the Parties than under this DPA, the Data Protection Laws shall prevail.

 

  1. DEFINITIONS AND INTERPRETATION
    • In this DPA:
      • Affiliate” means any person or entity directly or indirectly controlling, controlled by, or under common control with a Party. For the purpose of this definition, "control" (including, with correlative meanings, the terms "controlling", "controlled by" and "under common control with") means the power to manage or direct the affairs of the person or entity in question, whether by ownership of voting securities, by contract or otherwise.
      • Approved Jurisdiction“ means a jurisdiction approved as having adequate legal protections for data by the European Commission, currently found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
      • Data Protection Laws” means, as applicable, any and/or all applicable domestic and federal or national level, pertaining to data privacy, data security and/or the protection of Personal Data, including the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), including any amendments or replacements to them, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), Data Protection Act 2018 and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR") and any amendment or replacements to the foregoing.
      • Data Subject” means a natural person to whom Personal Data relates.
      • Personal Data” means any information which could be used, either directly or by employing additional means, to identify a natural person, and that is shared with or processed by the Affiliate Partner in the context of the performance of the Agreement..
      • Security Incident“ shall mean any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, any Personal Data Breach will comprise a Security Incident
      • Standard Contractual Clauses” the applicable module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4th 2021, as available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en.
      • Terms Effective Date” means the effective date of the Agreement.
      • The terms “controller”, “processing” and “processor” as used in this DPA have the meanings given to them in Data Protection Laws. Where applicable, controller shall be deemed as a “Business“ and processor shall be deemed to be a “Service Provider“, as these terms are defined in the CCPA.
      • Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

 

  1. APPLICATION OF THIS DPA
    • This DPA will only apply to the extent all of the following conditions are met:
      • Either Party processes Personal Data that is made available by the other Party in connection with the Agreement;
      • The Data Protection Laws apply to the processing of Personal Data.
    • This DPA will only apply to the services for which the Parties agreed to in the Agreement, which incorporates the DPA by reference.

 

  1. ROLES AND RESTRICTIONS ON PROCESSING
    • Independent Controllers. Each Party:

 

  1. PERSONAL DATA TRANSFERS
    • Where the GDPR is applicable, either Party may transfer Personal Data outside the European Economic Area or an Approved Jurisdiction, subject to one of the appropriate safeguards in Article 46 of the GDPR.

 

  1. DIRECT MARKETING
    • If Partner collects or process Personal Data for the purpose of carrying out direct marketing activities (including, without limitation, email campaigns or test-message campaigns; collectively “Direct Marketing”), which promote services or products offered by the Partner or other third parties ("Communications"), then Partner shall:
      • Comply with any and all Data Protection Laws that apply to such activity, including without limitation the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the e-Privacy Directive;
      • Ensure that is has provided the data subjects with any notice necessary as required under Data Protection Laws, prior to delivering any Communications;
      • Ensure that is has obtained and recorded the data subjects’ affirmative consent or otherwise has a legitimate interest, as expressly permissible under applicable Data Protection Laws, for the purpose of carrying out Direct Marketing, prior to delivering any Communications;
      • Upon Company’s request, provide the Company with any and all records relating the data subjects’ affirmative consent and notices provided to the data subjects;
      • Ensure that any and all Communications include a clear and conspicuous notice of the opportunity to opt-out of receiving future Communications, in an easy manner; 
      • Comply with any request to opt-out or unsubscribe from receiving Communications, as soon as technically feasible, and in any event within no later than seven (7) days as of the receipt of such request;
      • Ensure that the recipient of a Communications shall not be required to pay a fee or provide any other information for the purpose of opting-out of receiving Communications;
      • Ensure that Communications are not delivered to any data subject that were indicated, either by the Company or otherwise, to be excluded from the receipt of Communications, as directed by the Company, from time to time. 
      • Ensure that any and all Communications contain a clear and conspicuous identification that it is an advertisement or solicitation, and that the Communications do not contain any false or misleading information.
  1. PROTECTION OF PERSONAL DATA.
    • The Parties will provide a level of protection for Personal Data that is at least equivalent to that required under Data Protection Laws. Both Parties shall implement appropriate technical and organizational measures to protect the Personal Data.
    • In the event that a Party suffers a confirmed Security Incident with respect to Personal Data disclosed from the other Party, such Party shall notify the other Party without undue delay and the Parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident. In the event that a Party suffers a confirmed Security Incident, then such Party shall be responsible to notify the supervisory authority and/or the Data Subjects with respect to such Security Incident, as required under Data Protection Laws.

 

  1. MUTUAL ASSISTANCE
    • Each Party shall:
      • appoint at least one representative as point of contact and responsible manager for all issues arising out of the Data Protection Laws (a "Designated Representative"); the Designated Representative(s) of both Parties will work together in good faith to reach an agreement with regards to any issues arising from time to time in relation to the processing of Personal Data in connection with the Agreement and this DPA;
      • The Company’s Designated Representative is: DPO@ImLive.com .
      • The Affiliate Partner’s Designated Representative shall be introduced and the Affiliate will provide his details to the Company’s Designated Representative.
      • use reasonable measures to consult with the other Party about any notices given to Data Subjects in relation to the processing of Personal Data under the Agreement;
      • inform the other Party (without undue delay) in the event that it receives a Data Subject request related solely and exclusively to the other Party's respective processing activities and provide all reasonable assistance to ensure Data Subject requests are completed within the timeframe set out in Data Protection Laws;
      • provide the other Party with reasonable assistance (having regard to the data available to it) to enable the other Party to comply with any Data Subject request received by the other Party and to respond to any other queries or complaints from Data Subjects;
      • provide the other Party with such assistance as the other Party may reasonably request from time to time to enable the other Party to comply with its obligations under the Data Protection Laws including (without limitation) in respect of security, breach notifications, impact assessments and consultations with supervisory authorities or other regulators;
      • provide the other Party with such information as it may reasonably request in order to: (a) monitor the technical and organizational measures being taken to ensure compliance with the Data Protection Laws, or (b) satisfy any legal or regulatory requirements, including information reporting, disclosure and other related obligations to any regulatory authority from time to time;
      • in the event of an actual or potential Security Incident which does or is reasonably likely to affect the respective processing activities of both Parties, liaise with the other Party in good faith to consider what action is required in order to resolve the issue in accordance with the Data Protection Laws, and provide such reasonable assistance as is necessary to the other Party to facilitate the handling of such Security Incident in an expeditious and compliant manner.

 

  1. OBLIGATIONS UNDER THE CCPA
    • To the extent that Affiliate Partner processes Personal Data of Californian residents for a Business Purpose (as it is defined under the CCPA), it shall be regarded as a Service Provider and be subject to the following obligations:
      • Affiliate Partner shall not sell such Personal Data (as the term "sell" is defined under the CCPA).
      • Affiliate Partner is prohibited from retaining, using, or disclosing such Personal Data for a commercial purpose other than providing the services to Company under the Agreement and from retaining, using, or disclosing such Personal Data outside of the Agreement.
      • Affiliate Partner understands its obligations under this clause and will comply with them.
    • Notwithstanding the above, Affiliate Partner shall not sell Personal Data it received from or collected on behalf of the Company.

 

  1. RESOLUTION OF DISPUTES WITH DATA SUBJECTS OR SUPERVISORY AUTHORITIES
    • If either Party is the subject of a claim by a Data Subject or a supervisory authority or receives a notice or complaint from a supervisory authority relating to its respective processing activities (a "DP Claim"), it shall promptly inform the other Party of the DP Claim and provide the other Party with such information as it may reasonably request regarding the DP Claim.
    • Where the DP Claim concerns the respective processing activities of one Party only, then that Party shall assume sole responsibility for disputing or settling the DP Claim.
    • Where the DP Claim concerns the respective processing activities of both Parties, then the Parties shall use all reasonable endeavors to cooperate with a view to disputing or settling the DP Claim in a timely manner; provided always that neither Party shall make any admission or offer of settlement or compromise without using all reasonable endeavors to consult with the other Party in advance.

 

  1. LIABILITY
    • Notwithstanding anything else in the Agreement, the total liability of either Party towards the other party under or in connection with this DPA will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement.

 

  1. PRIORITY
    • If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement then, the terms of this DPA will govern. Subject to the amendments in this DPA, the Agreement remains in full force and effect.
    • If there is any conflict or inconsistency between the terms of this DPA and the Standard Contractual Clauses, the terms of the Standard Contractual Clauses will govern.

 

  1. CHANGES TO THIS DPA.
    • Company may change this DPA if the change is required to comply with Data Protection Laws, a court order or guidance issued by a governmental regulator or agency, provided that such change does not: (i) seek to alter the categorization of the parties as independent controllers of Personal Data under the Data Protection Laws; (ii) expand the scope of, or remove any restrictions on, either party’s rights to use or otherwise process Personal Data; or (iii) have a material adverse impact on Affiliate Partner, as reasonably determined by Company.
    • If Company intends to change this DPA under this section, and such change will have a material adverse impact on Affiliate Partner, as reasonably determined by Company, then Company will use commercially reasonable efforts to inform Affiliate Partner at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect.
    • If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA, and each Party will promptly begin complying with such Data Protection Laws in respect of its respective processing activities.